Stored XSS via Product Name in Rental Expiration Warning Email

Vulnerability: Stored Cross-Site Scripting (XSS)

Location: Rental Expiration Warning Email

Source: Link.name field (product name, controllable by sellers).

Sink:

1. In the rental_expiration_warning method of /app/app/mailers/customer_low_priority_mailer.rb:241, the purchase.link.name is interpolated directly into an HTML string.
2. This entire string is then marked .html_safe and assigned to the @content instance variable.
3. This @content variable is likely rendered without further escaping in the mailer's view template.

Exploitation:

1. A seller creates or edits a product and sets its name to an XSS payload, e.g., <img src=x onerror=alert('XSS-RentalWarning')>.
2. A user rents this product.
3. When the rental expiration warning email is generated and sent to the user, the seller's malicious product name is rendered unsanitized, executing the script in the user's email client.

Impact: Allows sellers to execute arbitrary JavaScript in the context of users receiving rental expiration warning emails.

Recommendation: HTML-escape the purchase.link.name before interpolating it into the string. For example: ... rental of #{h(purchase.link.name)} will expire .... Alternatively, ensure @content is escaped in the view template, but escaping at the source (before interpolation) is generally preferred.

[msrkp]

Purchase.where(email:'seller2@gumroad.com').find_by_external_id!('NgL-O_6r42W-KlljuQXNfA==').link.name
  Purchase Load (8.1ms)  SELECT `purchases`.* FROM `purchases` WHERE `purchases`.`email` = 'seller2@gumroad.com' AND `purchases`.`id` = 58 LIMIT 1
  Link Load (4.4ms)  SELECT `links`.* FROM `links` WHERE `links`.`id` = 35 LIMIT 1
=> "test\"><s>asd"

tru dat but its in email, so no xss